红帽全球峰会19.2. Configuring Google workload identity federation
RHACS integrations can authenticate against the Google Cloud by using workload identities. Select the Use workload identity option upon creation to enable workload identity authentication in a Google Cloud integration.
The Google service account associated with the RHACS pod through the workload identity must have the IAM permissions required by the integration. For example, to set up a workload identity for integrating with Google Artifact Registry, connect a service account with the roles/artifactregistry.reader role. For more information about Google IAM roles see Configure roles and permissions.
19.2.1. Configuring Google Kubernetes Engine (GKE)
When running Red Hat Advanced Cluster Security for Kubernetes (RHACS) on GKE, you can configure short-lived tokens through Google workload identities.
If you use Kubernetes, enter kubectl instead of oc.
Prerequisites
- You must have access to the Google Cloud project containing the cluster and integration resources.
Procedure
- Follow the instructions in the Google Cloud documentation to Use workload identity federation for GKE.
Annotate the RHACS service account by running the following command:
$ oc annotate serviceaccount \ central \ --namespace stackrox \ iam.gke.io/gcp-service-account=<GSA_NAME>@<GSA_PROJECT>.iam.gserviceaccount.com重要When setting up delegated scanning, use sensor instead of central.
19.2.2. Configuring OpenShift Container Platform
You can configure short-lived tokens through Google workload identities when running Red Hat Advanced Cluster Security for Kubernetes (RHACS) on OpenShift Container Platform.
Prerequisites
- You must have a public OIDC configuration bucket with the OpenShift Container Platform service account signer key. The recommended way to obtain the OIDC configuration for the OpenShift Container Platform cluster is to use the Cloud Credential Operator in manual mode for short-term credentials instructions.
- Access to a Google Cloud project with the roles/iam.workloadIdentityPoolAdmin role.
Procedure
Follow the instructions at Manage workload identity pools to create a workload identity pool. For example:
$ gcloud iam workload-identity-pools create rhacs-pool \ --location="global" \ --display-name="RHACS workload pool"Follow the instructions at Manage workload identity pool providers to create a workload identity pool provider. For example:
$ gcloud iam workload-identity-pools providers create-oidc rhacs-provider \ --location="global" \ --workload-identity-pool="rhacs-pool" \ --display-name="RHACS provider" \ --attribute-mapping="google.subject=assertion.sub" \ --issuer-uri="https://<oidc_configuration_url>" \ --allowed-audiences=openshiftConnect a Google service account to the workload identity pool. For example:
$ gcloud iam service-accounts add-iam-policy-binding <GSA_NAME>@<GSA_PROJECT>.iam.gserviceaccount.com \ --role roles/iam.workloadIdentityUser \ --member="principal://iam.googleapis.com/projects/<GSA_PROJECT_NUMBER>/locations/global/workloadIdentityPools/rhacs-provider/subject/system:serviceaccount:stackrox:central"where:
<system:serviceaccount:stackrox:central>- Specifies the subject. For delegated scanning, you must set the subject to system:serviceaccount:stackrox:sensor.
Create a service account JSON containing the Security token service (STS) configuration. For example:
{ "type": "external_account", "audience": "//iam.googleapis.com/projects/<GSA_PROJECT_ID>/locations/global/workloadIdentityPools/rhacs-pool/providers/rhacs-provider", "subject_token_type": "urn:ietf:params:oauth:token-type:jwt", "token_url": "https://sts.googleapis.com/v1/token", "service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/<GSA_NAME>@<GSA_PROJECT>.iam.gserviceaccount.com:generateAccessToken", "credential_source": { "file": "/var/run/secrets/openshift/serviceaccount/token", "format": { "type": "text" } } }Use the service account JSON as a secret to the RHACS namespace:
apiVersion: v1 kind: Secret metadata: name: gcp-cloud-credentials namespace: stackrox data: credentials: <base64_encoded_json>
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}